Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
19-05-2024 01:52
General
-
Target
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4bceefbe345b452abeb46ece84d2ed50
-
SHA1
c77be676463a84a7350f0a43f3117e79562efa16
-
SHA256
93fe6d0e6779b13610e5106a44faa5f7089232d5ef85926bf9a0eb8a6e774a5d
-
SHA512
d0f877869d769d866750b6b05165c7c63b5043b0830591c634a4b9577edd323d10bd24a23766d80884dfa7b490721d59240b929b7d54d726dab53afb57e9f392
-
SSDEEP
1536:LKlY9zzPhfAkgf1nF8BleBXWX8TtKjf1ZIh8O8uOyVh8Y2Cdv4TVEKLx3yScvxv/:mizPGnF8BuEk3Y/CdyFncvRu3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f762137.exeC:\Users\Admin\AppData\Local\Temp\f762137.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76231a.exeC:\Users\Admin\AppData\Local\Temp\f76231a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7645a8.exeC:\Users\Admin\AppData\Local\Temp\f7645a8.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5660059d8fa669f387e47797817c5e4ca
SHA1444909d3a2b6577dd5a173796581cbd65db3fdda
SHA256a1ccc6ea1abf623c1995e403a6f4e34ad9e5a707fd7e4b87a51c0c463cd90c0a
SHA512621f08a9d03fe50d783bc87208188688b6f0b5aa06b301ee84fba7be20a8b0db9ffa1cc6008899d5d0dadb02acfa8105351176d93a367f22b9c3146570922b08
-
\Users\Admin\AppData\Local\Temp\f762137.exeFilesize
97KB
MD5fec4f783bd68280cc60aedb74e1a4481
SHA105a05fc98323e28d5bb5a2a194a05698911faaea
SHA256d2927b19d9a11f5998311d9a6a98c169dbed017cc197b5180f1cb6de99c2a526
SHA512f582543b4a3151b352e2f4fe300b69db0dd1329f5cf87e512edb8a6178cedb6cc85700eb29043bfe0c5d7673d177ca07513b73a5c1f2238c76162b8c523e3b72
-
memory/1112-18-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2144-9-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/2144-8-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2144-73-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2144-76-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2144-26-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2144-51-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2144-10-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/2144-25-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2144-49-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2144-50-0x00000000001D0000-0x00000000001E2000-memory.dmpFilesize
72KB
-
memory/2144-36-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2220-59-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-100-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-37-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2220-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2220-34-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-38-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-16-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-17-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-40-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-39-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-41-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-15-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-33-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2220-60-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-61-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-62-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-63-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-14-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-12-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2220-78-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-140-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-107-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-105-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2220-104-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-101-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/2220-35-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2444-99-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2444-97-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2444-98-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2444-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2444-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3044-89-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/3044-90-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3044-86-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3044-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3044-145-0x0000000000A10000-0x0000000001ACA000-memory.dmpFilesize
16.7MB
-
memory/3044-152-0x0000000000A10000-0x0000000001ACA000-memory.dmpFilesize
16.7MB
-
memory/3044-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB